Posted
by
samzenpuson Monday March 26, 2012 @09:33AM
from the don't-bot-me-bro dept.

wiredmikey writes "Microsoft, in what it called its 'most complex effort to disrupt botnets to date,' and in collaboration with partners from the financial services industry, has successfully taken down operations that fuel a number of botnets that make up the notorious Zeus family of malware. In what Microsoft is calling 'Operation b71,' Microsoft and its co-plaintiffs, escorted by U.S. Marshals, seized command and control (C&C) servers in two hosting locations on March 23 in Scranton, Pennsylvania and Lombard, Illinois. The move was to seize and preserve data and evidence from the botnets for the case. In addition to seizing the C&C servers, the group took down two IP addresses behind the Zeus command and control structure, and secured 800 domains that Microsoft is now monitoring and using to help identify computers infected by Zeus."

sorry but the point, I think, is for microsoft not only to "sting" the servers and finding the infected computers.... what are they doing in order to prevent those computers to become infected? I think the problems should be addressed from several parts.. stinging the command and control will only relief for some time... in a few days or weeks, another virus or trojan will infect pcs again and so on... what is Microsoft doing in order to avoid PCs to be infected.

Well it looks like microsoft (corporate) law enforcement is part of USA culture. Today, USA=CSA Corporate States of America.

The USA government has the organic ability to provide law enforcement muscle domestically and globally.The CSA government has the organic ability to provide law enforcement cronyism domestically and globally.Together they will shape US and the world accordingly. IOW: Might makes rights

Every month Microsoft crowns itself the obliterator of botnets for some weird reason. All stories are never heard of a few days later.Nothing really will change, a publicity stunt is what a publicity stunt is. And if you have to ask... You lost "just because"

The operation is the second time Microsoft has conducted physical seizures in a botnet takedown operation, and is the first known time the Racketeer Influenced and Corrupt Organizations (RICO) Act has been applied as the legal basis in a consolidated civil case to charge all those responsible in the use of a botnet.

Well it says they had US Marshals with them. In the same was as a bank can come with the local Sheriff to repossess a home from folks that haven't been paying. It isn't even an issue; it is the way this stuff works. It is interesting that you think it is an issue though. Would you - as a private party or as an agent of a corporation - want to send a Marshal or Sheriff to get some item without having your representative on scene to be sure it was the right item and that it wasn't damaged?

When non-government representatives set foot on what is essentially an alleged crime scene, they could tamper with the evidence and/or taint the crime scene (even inadvertently). Having LEO on the scene is no guarantee this won't happen.

You know how you can punch someone in the face and then they can sue you to take all your stuff? That's how. The people running these things are causing damage to Microsoft and its customers. A better question is why is this question asked every time Microsoft takes down a botnet?

Maybe the warrant was written that way, or perhaps the authorities used them as specialists. However, as tow truck drivers seize private property every day, I suspect that it's not as big of a hurdle as you believe.

I probably shouldn't be admitting this online- but I am part of Microsoft's counter-terror department. We are a highly trained SWAT team that risks our life daily raiding LINUX farms. Our safety demands daily communication using Windows phones; it is one of the most dangerous jobs in the country.

We are highly trained in many ways to take on any situation needed. Even take out the Prez if he threatens to sign any bill that would not be favourable of Microsoft. We constantly run into our major foe, Apple, and fight hand-to-hand combat in the street and the patent office.

After announcing this initiative, I am in grave danger. Within a few weeks I will be tracked by other operatives by the GPS on my windows phone... if the battery doesn't die first.

Holy shit that is funny! Someone needs to spoof this concept to film ala "Anchorman, the legend of Ron Burgundy" and have a street fight/hacking fight scene involving Microsoft, Google, Facebook and Apple.

I don't think there is a rule expressing that an outside entity can do the search, if they enter with the appropriate Warrent. I mean we can have Private Investigators do searches, it would make sense when investigating digital data that law enforcement brings experts to let them know what to look for. Otherwise you get a bunch of cops tare a building apart and not really know what to use and what to ignore.

I could've written your post myself. I'm no M$ fan, but kudos to them on this one.
Now cue the usual Slashdot mob, who'll defend the bot herders, bash Windows security (NO operating system is secure when run a by a person hell-bent & determined to fuck up his own computer) all corporations, and the United States in general...

It's about as good as PR as any. They coded an OS with more holes than a termite-infested house, lied about making a brand-spanking new one from scratch (Vista), and loads of other fuckups that generally make Windows a security nightmare. So this kinda stuff makes them look tough on Internets crime, when really the best way to solve it would be to make their OS, browser, etc. a hell of a lot safer.

The issue is its users *ahem* corporate america *ahem* who still use 10 year old operating systems. You know the ones who say on slashdot its fine so why upgrade?

Then get all mad that the OS is insecure when it was released in 2001.

Windows 7 has DEP, ASLR, and sandboxing in IE 8/IE 9. Firefox does not even support sandboxing yet which is why I quit using it a year ago when 4.0 came out. In many ways Windows 7 is the most secure OS out there today. If you bash it

Just because you do not like a company's products does not mean you can't applaud their actions or maybe even a product that doesn't suck made by them?

I do not know anyone who likes all of Microsofts products. Even Windows fanboys hate older IE or Exchange.

I disliked MS greatly a decade ago and viewed them as dangerous. IE 6 scared the crap out of me and seeing what it would do to interopability of CSS standards. I even wished Apple would have won over Windows a decade ago too.... fast forward today and we

I have a problem with the police/a corporation seizing the computer of some small business that probably had nothing to do with the bot net.

What if the control servers were still using public IRC servers, should microsoft be allowed to seize freenode?
What if they were using public services as C&C?
What about AC slashdot comments , spam messages on blogger, random twitter accounts, or even a.gov?

Seized equipment disappears for year at a time, and if a business doesn't have IT that can notice a bot

Have to remain vague to be in accordance of NDAs, but I've been part of such a sting before. On the "good" side, don't get your panties in a knot. It's not as glamorous as it may look at first (it's decidedly NOT like on TV to raid a server hoster). We went in, we cashed in the servers, we went back out, all with the aid of the hoster who, in turn, didn't do anything wrong but was required to cooperate, and did so quite easily. You wave that warrant in front of their nose and they do whatever you want (as long as it's in the warrant, of course).

Before we had the servers dissected and analyzed, the bot herders rerouted to other controlling servers. It's like playing whack-a-mole. The time wasted to get every kind of evidence collected so everything's in order and you get the necessary paperwork ready is a billion times what's needed for the other side to switch over to new servers. And they know that bloody well.

Before you get the wrong idea, the solution is NOT to eliminate due process and let me go nuts on every server hoster in the country, seizing servers as I please. This is not going to do any good. Or rather, do more ill than good. The solution is on the client's side. It's trivial to come up with something that can analyze network traffic and identify bot traffic. Of course, such a device has to be under the control of the customer. Not the ISP. The field for abuse is even wider there. Require people to monitor their traffic. Net access is no more a right than the right to drive a car, and here you have to make sure that your car does not cause trouble to other participants in traffic, why should that not apply for the internet?

This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

Of course, such a device has to be under the control of the customer. Not the ISP.

This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

Of course, such a device has to be under the control of the customer. Not the ISP.

This can easily be rolled into a little box that gets updates regularly from its maker, with the current markers for bot traffic, not unlike how we deal with malware on computers already. Just that this time the box is not prone to user idiocy, clicking "yeah, go on" whenever some trojan wants a new home.

So on the one hand, you say you want to put control into the hands of the user to avoid the ISPs. Then you follow that by saying you want to put control into the hands of the maker to avoid the idiocy of the users.

This doesn't quite make sense to me. Why should we assume the makers of an anti-botnet box are any better than ISPs?

Well, to start with, the ISP can cut you off from the internet, possibly with a false allegation.The maker of the bot detection box can... stop sending you updates?If you have problems with the box, you probably have more choice than with your ISP, not to mention that you can just remove the box from teh loop if it is giving you problems.It is much harder to remove your ISP from the loop, particularly when they are the only service provider in your area...

tell me how the common bobby quickshot is going to be able to identify botnet traffic from his connection when he's barely literate enough to play farmville on FB? IMO it's become a real crime that MS still can't follow the simple "Deny All" policy and ask the user if they want to allow before allowing anything to happen. Yes it'll teach another bunch of Joe Sixpacks and Bobby Quickshots to simply click O'kay and at that point, the ISP does need to get involved and start isolating these idiots from the gene

The slang term 'sting' means a swindle or fraud. This article doesn't mention any of that - just that Microsoft again seized C&C servers for the botnet. They likely determined which servers were providing C&C for the botnet by good old fashioned detective work, not some elaborate con perpetrated against the operators of the botnet.

In law enforcement, a sting operation is a deceptive operation designed to catch a person committing a crime.

Again, in what way was this a sting? There was no deception involved, at least none that was mentioned in the article. The headline says it was a sting, but nowhere in the article is there any mention of any sort of deception. In fact the article really says nothing at all about how they identified the C&C hosts that were seized. Typically researchers locate C&C servers by analyzing the network traffic to/from a compromised server. How does network analysis equate to deception?